Hi folks, [Cc'ing my fellow Tails developers, and also the Freepto ones who might be interested.]
I'm super happy to tell you that we've now released Tails 1.2, finally with some minimal AppArmor support! :) Our implementation is described on https://tails.boum.org/contribute/design/application_isolation/ We finally didn't take the alias rules way, and instead added some ad-hoc kludges: see the "Hacks to support the Live system usecase" section. Comments about these hacks are more than welcome. We also added some minimal automated tests to validate the behavior of shipped profiles, both with and without persistence enabled. As you can see in the "Using aliases rules to avoid modifying profiles" section, there's a whole bunch of problems that would make alias rules difficult for us to use, even once John's bugfixes land. So, while it's probably a good idea to fix known bugs in alias rules, it's probably not worth it to do so just to help Live systems. I figured it would be nice to let you know that :) Regarding using rewrite rules instead, as explained in "Using rewrite rules to avoid modifying profiles", I've not tried it yet, but I suspect it won't work so well for us either. Long-term, I'm now putting more hope into overlayfs than in alias or rewrite rules. However, one should check first whether overlayfs supports stacking up more than one read-only branch, as we do need this for the Tails incremental upgrades feature. Thanks everyone for you work and support! (And yes, "union" is a double-pun in the subject, as we're speaking of union filesystems, and some of the problems come from how union works in the AppArmor language grammar :) Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.